Extinguishing the Vulnerability Management Dumpster Fire presented at BSidesRDU 2019

by Rebecca Deck,

Summary : Vulnerability management seems like it should be no more than a harmless birthday candle, but too often it escalates to become a full-on dumpster fire complete with flaming sofas.All effective security programs have to deal with vulnerability management. It all seems so simple. Vulnerabilities are discovered, patches are released, configuration changes are made and no systems should ever remain vulnerable. How do enterprises end up with hundreds of thousands of known vulnerabilities? In practice, enterprise vulnerability management is a tangled web of change control, fear, hurt feelings, misinformation, and lack of knowledge. Vulnerabilities pile up, patches do not install even when administrators try to push them. The company rapidly loses faith in the vulnerability scanner and teams accept the inevitability of failure.This is an example of a troubled vulnerability management program that recovered and then returned to abject failure. We began with half a million vulnerabilities across around 5000 systems. During a three-month period with a modest team and a plan, we reduced the number of unaddressed vulnerabilities by more than 80%.This presentation details the team, meetings, patch schedule, and process to reduce known vulnerabilities across the enterprise followed by how to tank a previously successful program. There are no gory technical details and the presentation is suitable for any skill level. The target audience is anyone working vulnerability management in an enterprise.